Astaroth banking trojan uses GitHub to steal cryptographic credentials

Table of Contents

Hackers are deploying banking Trojans that exploit GitHub repositories whenever servers go down, according to a study by cybersecurity firm McAfee.

This Trojan horse virus, called Astaroth, spreads through phishing emails that prompt victims to download Windows (.lnk) files and install malware on host computers.

Astaroth runs in the background of victims’ devices, uses keylogging to steal banking and cryptocurrency credentials, and uses an Ngrok reverse proxy (an intermediary between servers) to transmit such credentials.

Its unique feature is that Astaroth uses GitHub repositories to update the server configuration whenever the command and control server goes down. This usually occurs due to the intervention of a cybersecurity company or law enforcement agency.

“GitHub is not used to host the malware itself, but only the configuration that points to the bot server,” said Abhishek Karnik, director of threat research and response at McAfee.

talk to decryptionKarnik explained that this exploit is distinct from previous instances where GitHub was used because malware deployers use GitHub as a resource to direct victims to updated servers.

This includes attack vectors discovered by McAfee in 2024. This is where malicious actors inject Redline Stealer malware into GitHub repositories, a pattern repeated in this year’s GitVenom campaign.

“However, in this case, it is not the malware that is hosted, but the configuration that governs how the malware communicates with the backend infrastructure,” Karnik added.

Similar to the GitVenom campaign, Astaroth’s ultimate goal is to extract credentials that can be used to steal victims’ cryptocurrencies or transfer money from their bank accounts.

“We don’t have data on how much money or cryptocurrencies are stolen, but it seems to be very prevalent, especially in Brazil,” Karnik said.

Targeting South America

Astaroth appears to be primarily targeting South America, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama.

Although it could target Portugal or Italy, the malware was written to prevent it from being uploaded to systems in the United States or other English-speaking countries (such as the United Kingdom).

The malware is designed to shut down the host system when it detects that analytics software is running and to perform keylogging functions when it detects that the web browser is accessing certain banking sites.

These include caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br, and btgpactual.com.

It is also created to target crypto-related domains such as etherscan.io, binance.com, bitcointrade.com.br, metamask.io, foxbit.com.br, and localbitcoins.com.

In the face of these threats, McAfee advises users to use up-to-date antivirus software and two-factor authentication, and to avoid opening attachments or links from unknown senders.